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Abstract 



i-^ We study the quantum query complexity of the Boolean hidden shift problem. Given oracle 

II access to f{x + s) for a known Boolean function /, the task is to determine the n-bit string s. 

(-H The quantum query complexity of this problem depends strongly on /. We demonstrate that the 

C^ easiest instances of this problem correspond to bent functions, in the sense that an exact one- 

query algorithm exists if and only if the function is bent. We partially characterize the hardest 
instances, which include delta functions. Moreover, we show that the problem is easy for random 
functions, since two queries suffice. Our algorithm for random functions is based on performing 
the pretty good measurement on several copies of a certain state; its analysis relies on the Fourier 
fSJ transform. We also use this approach to improve the quantum rejection sampling approach to 

xj the Boolean hidden shift problem. 

^' 1 Introduction 

O 

(T^ Many computational problems for which quantum algorithms can achieve superpolynomial 

^~~^ speedup over the best known classical algorithms are related to the hidden subgroup problem 

J> (see for example [1]). 

rN ► Problem 1 (Hidden subgroup problem). For any finite group G, say that a function 

^ f : G ^ X hides a subgroup i? of G if it is constant on cosets of i? in G and distinct on 

different cosets. Given oracle access to such an /, find a generating set for H . 

Two early examples of algorithms for hidden subgroup problems are the Deutsch-Jozsa 
algorithm [2] and Simon's algorithm [3]. Inspired by the latter, Shor discovered efficient 
quantum algorithms for factoring integers and computing discrete logarithms [4]. Kitaev 
subsequently introduced the Abelian stabilizer problem and derived an efficient quantum 
algorithm for it that includes Shor's factoring and discrete logarithm algorithms as special 
cases [5]. Eventually it was observed that all of the above algorithms solve special instances 
of the hidden subgroup problem [6, 7, 8]. 
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This early success created significant interest in studying various instances of the hidden 
subgroup problem and led to discovery of many other quantum algorithms. For example, 
period finding over the reals was used by Hallgren to construct an efficient quantum algorithm 
for solving Pell's equation [9]. Moreover, the hidden subgroup problem over symmetric and 
dihedral groups are related to the graph isomorphism problem [10, 11, 12, 13] and certain 
lattice problems [14], respectively. The possibility of efficient quantum algorithms for these 
problems remains a major open question. Kuperberg has provided a subexponential-time 
quantum algorithm for the dihedral subgroup problem [15, 16, 17], which has been used to 
construct elliptic curve isogenies in quantum subexponential time [18]. 

The hidden shift problem (also known as the hidden translation problem) is a natural 
variant of the hidden subgroup problem. 

► Problem 2 (Hidden shift problem). Let G be a finite group. Given oracle access to functions 
/o; /i • G — > X with the promise that fo{x) — fi(x ■ s) for some s £ G, determine s. 

If G is Abelian and /o is injective, this problem is equivalent to the hidden subgroup 
problem in the semidirect product group G xi Z2, where the group operation is defined by 
(cci, &i) • {x2, ^2) •= {xi ■ X2 ,bi + 62) and the hiding function /: G xi Z2 — > X is defined 
as f[{x, b)] := fb{x). One can check that / is constant on cosets of H := ((s, 1)) and that 
injectivity of /q implies that / is distinct on different cosets. Thus, / hides the subgroup H 
in G XI Z2. 

Notice that ii G ~ Z^ then G xi Z2 is the dihedral group. Ettinger and H0yer [19] 
showed that the dihedral hidden subgroup problem reduces to the special case of a subgroup 
((s, 1)). Thus the hidden shift problem in Z^ (with /o injective) is equivalent to the dihedral 
hidden subgroup problem, motivating further study of the hidden shift problem for various 
groups [20, 21, 22, 23, 24, 25]. 

While the case where /o is injective is simply related to the hidden subgroup problem, 
one can also consider the hidden shift problem without this promise. For example, van Dam, 
Hallgren, and Ip [20] gave an efficient quantum algorithm to solve the shifted Legendre symbol 
problem, a non-injective hidden shift problem. Their result breaks a proposed pseudorandom 
function [26], showing the potential for cryptographic applications of hidden shift problems. 
Work on hidden shift problems can also inspire new algorithmic techniques, such as quantum 
rejection sampling [27]. Moreover, negative results could have applications to designing 
classical cryptosystems that are secure against quantum attacks [14]. 

For the rest of the paper we restrict our attention to the Boolean hidden shift problem, 
in which the hiding function has the form /q: Zj — > Z2 for some integer n > 1. For this 
problem (with n > 1), /o is necessarily non-injective. This problem has previously been 
studied in [28, 29, 30, 27, 31]. 

Notice that to determine the hidden shift of an injective function /o, it suffices to find Xq 
and xi such that fo{xo) = fi{xi). However, this does not hold in the non-injective case, so 
it is nontrivial to verify a candidate hidden shift (see [27, Appendix B]). In fact, sometimes 
the hidden shift cannot be uniquely determined in principle (see Sect. D.l). On the other 
hand, by considering functions with codomain Z2, we have more structure than in the hidden 
subgroup problem or the injective hidden shift problem, where the codomain is arbitrary. 
We exploit this structure by encoding the values of the function as phases and using the 
Fourier transform. 

More precisely, the main problem studied in this paper, sometimes denoted BHSP/, is 
as follows. 
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► Problem 3 (Boolean hidden shift problem). Given a complete description of a function 
/: Zj — > Z2 and access to an oracle for the shifted function fs{x) '■= f{x + s), determine the 
hidden shift s G Z2 . 

Note that in degenerate cases, when the oracle does not contain enough information to 
completely recover the hidden shift, no algorithm can succeed with certainty. 

Let us highlight the main differences between the above problem and other types of 
hidden shift problem. In the Boolean hidden shift problem, 
H the function / is not injective, and 
H we are given a complete description of the unshifted function / instead of having only 

oracle access to /. 
Moreover, we are interested only in the query complexity of the problem and do not consider 
its time complexity. This means that we can pre-process the description of / (which may be 
exponentially large) at no cost before we start querying the oracle. 

This problem has been considered previously, e.g., by [27]. Note that some prior work 
does not give complete description of / but only oracle access to it [28, 29, 30, 31] (and in 
some cases [29] also gives oracle access also to /, the dual bent function of /). 

To address this problem on a quantum computer, we use an oracle that computes the 
shifted function in the phase. Such an oracle can be implemented using only one query to an 
oracle that computes the function in a register. 

► Definition 1. The quantum phase oracle is O/^ : \x) i-> (— l)-''(^+'*)|a;). 

More generally, one can use a controlled phase oracle Of^ : \b,x) H> (— 1)'''^(^+''^|&, a;) for 
& G {0, 1}, which is equivalent to an oracle that computes the function in the first register up 
to a Hadamard transform. Some of our algorithms do not make use of this freedom, although 
our lower bounds always take it into account. 

Ultimately, we would like to characterize the classical and quantum query complexities 
of the hidden shift problem for any Boolean function (or more generally, for any function 
/: Z^- — 7^ Zrf). While we do not resolve this question completely, we make progress by 
providing a new quantum query algorithm (see Sect. 4) and improving an existing one (see 
Sect. 5). However, it remains an open problem to better understand both the classical and 
quantum query complexities of the BHSP for general functions. 

While general functions are difficult to handle, the quantum query complexity of the 
hidden shift problem is known for two extreme classes of Boolean functions: 
H If / is a bent function, i.e., it has a "flat" Fourier spectrum (see Sect. 3.1), then one 

quantum query suffices to solve the problem exactly [29] . 
H If / is a delta function, i.e., f{x) '■— Sx.x,, for some xq G Zj , then the hidden shift problem 

for / is equivalent to unstructured search — finding xq + s among the 2" elements of 

Z2 — so the quantum query complexity is 0(\/2") [32, 33]. 
Intuitively, other Boolean functions should lie somewhere between these two extreme cases. 
In this paper, we give formal evidence for this: we show that the problem can be solved 
exactly with one query only if / is bent, and we show that it can be solved for any function 
with 0(-\/2") queries, with a lower bound of Q{\/2^) only if the truth table of / has 
Hamming weight 0(1) or 0(2"). This is similar to the weighing matrix problem considered 
by van Dam [34], which also interpolates between two extreme cases: the Bernstein- Vazirani 
problem [35] and Grover search [32]. 

Aside from delta and bent functions, the Boolean hidden shift problem has previously 
been considered for several other families of functions. Boolean functions that are quadratic 
forms or are close to being quadratic are studied in [28]. Random Boolean functions have 
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been considered in [30, 31]. Finally, [27] uses quantum rejection sampling to solve the BHSP 
for any function, although its performance in general is not well understood. 

Apart from algorithms designed specifically for the BHSP, there are generic classical and 
quantum algorithms for the BHSP derived from learning theory. In particular, the BHSP 
can be viewed as an instantiation of the problem of exact learning through membership 
queries. The resulting algorithms are optimal for classical and quantum query complexity up 
to polynomial factors in n. More precisely, for any learning problem, Servedio and Gortler 
define a combinatorial parameter 7 [36]. For the problem BHSP/, we denote the parameter 
as 7/. From their results it follows that the classical query complexity of BHSP/ is lower 
bounded by Q(n) and Q(l/"ff) and upper bounded by 0{n/^f). For quantum algorithms, 
they show a lower bound of Q,{\/ ^Ffj). Atici and Servedio [37] later showed an upper bound 
oi 0{n\ogn/ ,JYf) queries. 

The rest of this paper is organized as follows. In Sect. 2 we briefly review some basic 
Fourier analysis to establish notation. Next, in Sect. 3 we explore the extreme cases of the 
BHSP. In Sect. 4 we introduce a new approach to the BHSP based on the pretty good 
measurement. We analyze its performance for delta, bent, and random Boolean functions in 
Sect. 4.3. In Sect. 5 we propose an alternative method for boosting the success probability of 
the quantum rejection sampling algorithm from [27]. Finally, Sect. 6 presents conclusions 
and open questions. 

This paper has several appendices. In Appendix A we show that the easy instances of 
the BHSP correspond to bent functions. In Appendix B, we show that with one quantum 
query we can succeed on a constant fraction of all functions, whereas in Appendix C we 
prove that two quantum queries suffice to solve the BHSP for random functions. Finally, in 
Appendix D we analyze the structure of zero Fourier coefficients of Boolean functions. 

■ Fourier analysis 

Our main tool is Fourier analysis of Boolean functions [38]. Here we state the basic definitions 
and properties of the Fourier transform and convolution. Readers who are familiar with the 
topic might skip this section, except for Definition 6. 

► Definition 2. The Hadamard gate is i/ := 4=( } _} ). 

► Definition 3. The Fourier transform of a function F : Zj ^- M is a function F : Zj — > K 
defined as F{w) := (w|ff«'"|F) where \F) := J2xei." ^(^)\^)- ^ere F{w) is called the 
Fourier coefficient of F at w e Z2. Explicitly, F{w) = ^l^r Ei:ez"(~l)"'^'^(^) where 
X ■ y '■— X]i=i ^iVi- The set {F{w) : w e Zj} is called the Fourier spectrum of F. 

To define the Fourier transform of a Boolean function /: Zj — > Z2, we identify / with a 
real-valued function F: Zj — >■ M in a canonical way: F{x) := {—\)^'^^^/\/2^. Note that F is 
normaUzed: X]a;ez" 1^(^)1 ~ ^- ^°^ ^^ '"^'^ abuse Definition 3 as follows: 

► Definition 4. The Fourier transform of /: Z^ -> Z2 is F{w) = ^ E^^ez-C-l)"''^'*"''^^"'^- 

To avoid confusion, we use lower case letters for Z2-valued functions and capital letters for 
M- valued functions. 

► Definition 5. The convolution of functions F, G: Z2 — > M is a function {F *G): Z2 — > M 
defined as (F * G){x) := E,jez" F{y)G{x - y). The t-fold convolution of F: Z^' ^ M is a 
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ction F*^ : Z^ - 


> M defined as 




F*'{w):={F* 


..*F)(w) = 


>; ^ 




t yu- 


.,yt-ie^2 



F{y,) ■ ■ ■ F{yt-i)F{w - (yi + • • • + yt-i)) . (1) 

► Fact. Let F,G,H: Zj — > M denote arbitrary functions. The Fourier transform and 
convolution have the following basic properties: 

1. The Fourier transform is linear: F + G^^ F + G. 

2. The Fourier transform is self-inverse: F = F. 

3. Since iJ®" is unitary, the Plancherel identity E™ez? 1-^(^)1^ = Exsz- 1^(2^)1^ ^olds. 

4. Convolution is commutative {F *G — G * F) and associative {{F *G)*H — F*{G* H)). 

5. The Fourier transform and convolution are related through the following identities: 
(F * G)/V2" = FG and {fTg)/^^ = FG, where FG: Z^ -> C is the entry-wise 
product of functions F and G: {FG){x) :— F{x)G{x). 

6. By induction, the <-fold convolution satisfies the identity [F/\/2"] — F*/"\/2". 

The following t-fold generalization of the Fourier spectrum plays a key role: 

► Definition 6. For i > 1, the t-fold Fourier coefficient of /: Zj — > Z2 at w E Z2 is 



J-*'{w) := y [F^] {w). In particular, for t = 1 we have F'^{w) = |F(w)|. 

We can express J-*{w) in many equivalent ways using the identities listed above: 



[F^w)]" ^ [F^y\w) 



'F*F 



{ii,)^-={F*Fy{w). (2) 



/2« 

3 Characterization of extreme cases 

In this section we explore the set of functions for which the quantum query complexity of the 
BHSP is extreme. Recall that the BHSP can be solved with one query for bent functions 
and with 0(-\/2") queries for delta functions. Here we prove that BHSP/ can be solved 
exactly with one query only if / is bent, and with 0(V2") queries (with bounded error) for 
any /. 

3.1 Easy functions are bent 

In general, the quantum query complexity of the BHSP for an arbitrary function is unknown. 
However, the problem becomes particularly easy for bent functions, where a single query 
suffices to solve the problem exactly [29]. In fact, bent functions are the only functions with 
this property, as we show here. 

Bent functions can be characterized in many equivalent ways [39, 40]. The standard 
definition is that bent functions have a "fiat" Fourier spectrum: 

► Definition 7. A Boolean function /: Z2 — ?> Z2 is hent if all its Fourier coefficients F{w) 
(see Definition 4) have the same absolute value: 1^(^)1 = l/\/2" for all w e Zj. 

While many examples of bent functions have been constructed (e.g., see [41, 42, 43]), 
no complete classification is known. As an example, the inner product of two n-bit strings 
(modulo two) is a bent function [40, 41]: IP„(xi, . . . ,Xn,yi, ■ ■ ■ ,yn) — Yl7=i ^iVi- 

We make a few simple observations about bent functions. Recall from Sect. 2 that the 
Fourier spectrum of / is normalized as X^u^eZ" 1^(^)1 ~ ^^ ^° ^^'^ spectrum is "fiat" only 
when [^(u')! = l/\/2" for all w € Zj . Recall from Definition 4 that F{w) is always an integer 
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multiple of 1/2". Thus an n- variable function can only be bent if n is even [42, 41]. Moreover, 
from 1^(0)1 = l/\/2" we get that IEtoeZ"(~l)^^'^^l = v^, so a bent function / is close 
to being balanced: |/| = (2" ± \/2")/2 where |/| := \{x £ Z^: f{x) = 1}| is the Hamming 
weight of /. 

Our main result regarding bent functions is as follows. 

► Theorem 8. Let /: Zj -^ 1^2 be a Boolean function with n>2. A quantum algorithm can 
solve BHSP/ exactly with a single query to Of^ if and only if f is bent. 

The proof is based on a characterization of an exact one-query quantum algorithm using 
a system of linear equations. This system can be analyzed in terms of the autocorrelation of 
/, which in turn characterizes whether / is bent. The proof appears in Appendix A. 

3.2 Hard functions 

In this section we study hard instances of the BHSP. First, we observe that the quantum 
query complexity of solving BHSP/ for any function / is 0(a/2"). 

► Theorem 9. For any /: Z2 — > Z2, the bounded- error quantum query complexity o/BHSP/ 
is 0{V^). 

If we view / as a 2"-bit string indexed by a; € Z2 , this is a special case of the oracle 
identification problem considered by Ambainis et al. [44, Theorem 3], who show the following. 

► Theorem 10 (Oracle Identification Problem). Given oracle access to an unknown N-bit 
string with the promise that it is one of N known strings, the bounded-error quantum query 
complexity of identifying the unknown string is 0{\N). 

In the BHSP, we have N :— 2". By Theorem 9, the hardest functions are those with 
query complexity VL{'\/N). We know that delta functions have this query complexity, but 
are there any other functions that are as hard? The delta functions have |/| = 1 (recall 
that I/I denotes the Hamming weight of /). Next we show that as |/| increases, the query 
complexity strictly decreases at first, until |/| = '^{^/N)■ For example, functions with |/| = 2 
have strictly smaller query complexity than the delta functions. However, as we approach 
I/I = ^{N), our upper bound is Q{\/N) again. Without loss of generality, we assume that 
I/I < N /2] otherwise we can simply negate the function to obtain a function with |/| < A^/2 
that has exactly the same query complexity. Formally, we show the following refinement of 
Theorem 9. 

► Theorem 11. For any /: Zj — > Z2 with 1 < |/| < N/2, the bounded- error quantum query 
complexity o/BHSP/ is at most l\/ N /\f\ + 0{^/\T\)- 

Proof. The algorithm has two parts. First we look for a "1" in the bit string contained in 
the oracle, i.e., an x such that f{x) = 1. This can be done by a variant of Grover's algorithm 
that finds a "1" in a string of length N using at most j\/ N/\f\ queries [45]. Now we have 
an x such that /s(x) — 1 for some unknown s. Note that there can be at most |/| shifts s 
with this property, because each corresponds to a distinct solution to f{x -\- s) — 1 and there 
are only |/| solutions to this equation. 

We are now left with |/| candidates for the black-box function. Viewing this as an 
oracle identification problem, we have oracle access to an A^-bit string that could be one 
of I/I possible candidates. Although the string has length N , there are only |/| potential 
candidates, so intuitively it seems like we should be able restrict the strings to length |/| and 
apply Theorem 10 to obtain the desired result. 
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Formally, it can be shown that given fc > 2 distinct Boolean strings of length N, there 
is a subset of indices, S, of size at most fc — 1, such that all the strings are distinct when 
restricted to S. We show this by induction. The base case is easy: we can choose any index 
that differentiates the two distinct strings. Now say we have m distinct strings j/i, j/2, • ■ • , Vm 
and a subset of indices S of size at most to — 1, such that the m strings are distinct on S. 
We want to add another string i/m+i and increase the size of S by at most 1. If ym+i differs 
with 2/1, 2/2, • ■ • , 2/m on S", then we do not need to add any more indices to S and we are done. 
If ym+i agrees with one of j/i, j/2, • ■ • , 2/m on all of S, first note that it can only agree with 
one such string; to differentiate between these two, we add any index at which they differ to 
S, which must exist since they are distinct. -^ 



This shows that a function can be hard — i.e., can have query complexity Q{\/N) — only if 
I/I is 0(1) or e{N). 

Note that there do exist hard functions with |/| — Q{N). For example, consider the 
following function: f{x) = 1 if the first bit of a; is 1 or if x is the all-zero string. This 
essentially embeds a delta function on the last n — 1 bits, and thus requires 0(ViV) queries. 
This function has |/| = N/2 + 1. However, there are also easy functions with |/| — Q{N), 
namely the bent functions. Thus the Hamming weight does not completely characterize the 
hardness of the BHSP at high Hamming weight. However, it precisely characterizes the 
quantum query complexity at low Hamming weight: 

► Theorem 12. For any /: Z'j — >■ Z2 with no undetectable shifts, the bounded-error quantum 
query complexity o/BHSP/ is il{y^N/\f\). 

This follows from a simple application of the quantum adversary argument, with the 
adversary matrix taken to be the all ones matrix with zeroes on the diagonal. It also follows 
from Theorem 4 of [44]. 



4 The PGM approach 

We now present an approach to the Boolean hidden shift problem based on the pretty good 
measurement (PGM) [46]. In particular, this approach shows that the Boolean hidden shift 
problem for random functions has small query complexity (see Sect. 4.3.3). 

The main idea of the PGM approach is as follows. We apply the oracle on the uniform 
superposition and prepare t independent copies of the resulting state (see Sect. 4.1). Then 
we use knowledge of the function / to perform the PGM in order to extract the hidden 
shift s (see Sect. 4.2). A similar strategy was used to efficiently solve the hidden subgroup 
problem for certain semidirect product groups, including the Heisenberg group [47], and was 
subsequently applied to a hidden polynomial problem [48]. 



4.1 Performing t queries in parallel 

In this section we describe a quantum circuit that prepares a state with w ■ s encoded in the 
phase, where s is the hidden shift and w is the label of the corresponding standard basis 
vector. We use this circuit t times in parallel, followed by a sequence of CNOTs, to prepare 
a certain state |$*(s)). In the next section we perform a PGM on these states for different 
values of s. 
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* Figure 1 Quantum algorithm for preparing the i-fold Fourier sate |$'(s)) in Eq. (8). The state 
on any register at the end of the first stage is given in Eq. (4) . 



4.1.1 Circuit 

The circuit for preparing |<J'*(s)) appears in Fig. 1. It consists of two stages. The first stage 
prepares t identical copies of the same state by using one oracle call between two quantum 
Fourier transforms on each register independently. Recall from Definition 1 that the oracle 
acts on n qubits and encodes the function in the phase: O/^ : \x) i— > (— l)^^^+*'|a;). The 
second stage entangles the states by applying a sequence of transversal controUed-NOT gates 
acting as \x)\y) i->- \x)\y + x) for x,y € T^. 

Note that all unitary post-processing after the oracle queries can be omitted since it does 
not affect the distinguishability of the states. We include it only to simplify the analysis. 

4.1.2 Analysis 

During the first stage of the circuit, the first register evolves under iJ"^" O f^H®'^ (see Fig. 1): 



\®n 



x,yGl 



We can rewrite the resulting state as follows 






(4) 



The overall state after the first stage is just the t-fold tensor product of the above state: 

t 

E (-i)^-^"^+-+"'^(8)^(y0l2/.)- (5) 

In the second stage of the algorithm, the controUed-NOT gates transform this state into 



y^ t_lY-ivi+---+yt) 



Vi,...,yt& 



^F{y^)\yi^ 



i=l 



F{yt)\yi 



yt) 



= E (-!)'■'' 

ai,...,ytGZ5 



t-l 



^F{yi)\yi 



F{yt-{yi + --- + yt-i))\yt)- 



(6) 

(7) 
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We can rewrite this state as 

!'&*(«)>:= ^(-ir"i^^)H, (8) 

where the non-norniahzed state |J^^) on {t — l)n qubits is given by 

\^'J ■■= J2 Fiy,)---F{yt^,)F{w-iyi + --- + yt-i))\yi)---\yt-i). (9) 

yi,...,yt-iel,2 

Its norm is just the t-fold Fourier coefficient: |||^4)ll = J-*'{w) (see Definition 6). 

4.2 The pretty good measurement 

Let {ps ■ s E Z2 } be a set of mixed states where ps is given with probabiHty Ps- The pretty 
good measurement (PGM) [46] for discriminating these states is a POVM with operators 
{Es-. s £Z^}U{E^} where 

Es-.^E-'/^Pspi'-'E-'/^ E-.^Y.P^P's^^ E^:=I-J2Es. (10) 

In our case, pi*-* := |<i>*(s))(<i>'(s)| and ps := 1/2" where |<f>*(s)) is defined in Eq. (8). 
To find the operators E^, we compute 

E=J2^ J2 (-i)(-+-')-ij-4)(j-4,i®H(«i'i (11) 

SGZ2 W,w' ^1^2 

= Eiii-^-)ii'-nSr^®i^>H- (12) 

From now on we use the convention that terms with |||J-^)|| = arc omitted from all sums. 
As i? is a sum of mutually orthogonal rank-1 operators with eigenvalues |||~^4)ll i ^'^ ^^d 

E-'^' = y ^^ • ^^^i^ ® |u;)(u;|. (13) 

Note that E^ = \Es){Es\ where \Es) :== S"i/2^|$*(s)). We can express \Es) as follows: 

(14) 






irE(-ir^Flw^i->- (15) 



/2^.^./ ' lll-^i 



w^l 



Notice that the vectors \Es) are orthonormal, so the PGM is just an orthogonal measurement 
in this basis (with another outcome corresponding to the orthogonal complement). Therefore 
the measurement is unambiguous: if it outputs a value of s (rather than the inconclusive 
outcome *) then it is definitely correct. The corresponding zero-error algorithm can be 
summarized as follows: 



PGM(/,i) 

1. Prepare |<i>*(s)) using the circuit shown in Fig. 1. 

2. Recover s by perform.ing an orthogonal measurement 
with projectors {\E,){Es\: s £'L^}\J {E^}. 
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► Lemma 13. The t-query algorithm PGM(/, t) solves BHSP/ with success probability 

pfit) ■■={^i^y. ^'M I ' (16) 



wez," / 



where T*{w) = |||J^4)II denotes the t-fold Fourier spectrum of f : Z'j — > Z2 (see Definition 6). 

Proof. Recall that the PGM for discriminating the states |$*(s)) = Et«ez"(-l)''™l-^4>k) 
from Eq. (8) is an orthogonal measurement on \Es) (defined in Eq. (15)) and the orthogonal 
complement. Thus, given the state |$*(s)), the success probability to recover the hidden 
shift s correctly is (£'s|^*(s)) . This is equal to the expression in Eq. (16). Moreover, it 
does not depend on s, so Pf{t) is the success probability even if s is chosen adversarially as 
in the definition of BHSP/ (Problem 3). Note that the convention of omitting terms with 
111-^4)11 = is consistent since such terms do not appear in Eq. (16). < 

We can use Eq. (2) to write the success probability as 

p/w = 4 f E \i4^ (p^y h1 ■ (17) 



2' , 



Recall from Sect. 2 that F^{w) — \F{w)\, so for i = 1 we have 

-( V \F(v,'\r 



P/(l) = ^( E 1^(^)1 ) • (18) 

4.3 Performance analysis 

In this section we analyze the performance of the PGM algorithm described above on several 
different classes of Boolean functions. For delta functions our algorithm performs worse than 
Grover's algorithm. On the other hand, for bent and random functions it needs only one 
and two queries, respectively. 

4.3.1 Delta functions 

Let us check how our algorithm performs when / is a delta function, i.e., f{x) = 6x.xo for 
some xq £ Z2 . A simple calculation using the Fourier spectrum of a delta function shows 
that the success probability of PGM(/, i) is 





P/(^) = ^ (2"-l)t 1-H^ +^ l + (2"-l)H^ • (19) 



Unfortunately, if we choose t — a/2", then the success probability goes to as n — > cxd. In 
fact, the same happens even ii t — c^ for any c < 2. Only if we take f = 2" does the success 
probability approach a positive constant 1 — 1/e^ ~ 0.98 as n — >■ cxd. This means that the 
PGM algorithm does not give us the quadratic speedup of Grover's algorithm. (Indeed, this 
follows from the more general fact that quantum speedup for unstructured search cannot be 
parallelized [49].) Thus the PGM algorithm is not optimal in general. 
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4.3.2 Bent functions 

Let / be a Bent function. Recall from Sect. 3.1 that its Fourier spectrum is "flat", i.e., 
|-F(w;)| = l/\/2" for all w € Zj. In this case, Eq. (18) gives p/(l) = 1, so we can find the 
hidden shift with certainty by measuring |<i>^(s)) with the pretty good measurement (recall 
that preparing |<i>"'^(s)) requires only one query to O/,), reproducing a result of Rotteler. 

► Theorem 14 ([29]). /// is a bent function then a quantum algorithm can solve BHSP/ 
exactly using a single query to Of^ . 

4.3.3 Random functions 

For random Boolean functions, our algorithm performs almost as well as for bent functions. 
For random /, we are only able to show that the expected success probability of the one-query 
algorithm PGM(/, 1) is at least 2/tt~\-o{\) for large n (see Theorem 19 in Appendix B), so the 
algorithm only succeeds with constant probability, which cannot easily be boosted. However, 
the expected success probability of the two-query algorithm PGM(/, 2) is exponentially 
close to 1. 

► Theorem 15. Let f be an n-argument Boolean function chosen uniformly at random and 
suppose that a hidden shift for f is chosen adversarially. Then PGM(/, 2) solves BHSPj 
with expected success probability p > 1 — A ■ 2~". 

The proof uses the second moment method to lower bound the expected success probability. 
We compute the variance of the 2-fold Fourier spectrum by relating it to the combinatorics 
of pairings. The proof appears in Appendix C. 

Theorem 15 implies that our algorithm can determine the hidden shift with near certainty 
as n H> cx). This is surprising since some functions, such as delta functions (see Sect. 3.2), 
require f2(v2") queries. Furthermore, a randomly chosen function could have an undetectable 
shift (see Sect. D.l), in which case it is not possible in principle to completely determine an 
adversarially chosen shift with success probability more than 1/2. 

At first glance. Theorem 15 may appear to be a strengthening of the main result of 
[30], which shows that 0{n) queries suffice to solve a version of the Boolean hidden shift 
problem for a random function. However, while our approach uses dramatically fewer queries, 
the results are not directly comparable: Ref. [30] considers a weaker model in which the 
unshifted function is given by an oracle rather than being known explicitly. In particular, 
while the result of [30] gives an average-case exponential separation between classical and 
quantum query complexity, such a result is not possible in the model where the function is 
known explicitly. In this model, there cannot be a super-polynomial speedup for quantum 
computation. This follows from general results from learning theory discussed at the end of 
Sect. 1. In particular, it follows that if the quantum query complexity of the problem for 
a function f is Q, then the deterministic classical query complexity of the problem for the 
same function is at most 0{nQ'^) [36]. 

5 Quantum rejection sampling with parallel queries 

In this section we explain a hybrid approach that combines the Quantum Rejection Sampling 
(QRS) algorithm for the BHSP [27] with the PGM approach. The resulting algorithm does 
not require an extra amplification step for boosting the success probability, unlike the original 
QRS algorithm. 
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5.1 Original quantum rejection sampling approach 

► Theorem 16 ([27]). For a given Boolean function /: Z2 — >■ Z2, define unit vectors 
TT,(T E M.'^ as TTyj := |i^(w)| and a^j '■— l/-\/2" for w E Zj • Moreover, let 

For any desired success probability p g [pmimPmax], the quantum rejection sampling algorithm 
solves BHSP/ with 0{l/\\e'!^_^^\\) queries, where the "water- filling" vector e^_^^ € M^ is 
defined in [27]. 

In particular, if Pmax — 1 then the QRS algorithm can achieve any success probability 
arbitrarily close to 1 with Ofl/(\/2"-Fmin)) queries, where i^min ■— niin^|_F(w)|. However, if 
F{w) — for some w, then from Eq. (20) we see that Pmax < 1- In this case one needs an 
additional amplification step to boost the success probability (a method based on SWAP 
test was proposed in [27]). We show that this step can be avoided by using t parallel queries 
in the original QRS algorithm for some t < n. 

5.2 Non-degenerate functions with almost vanishing spectrum 

Before explaining our hybrid approach, let us verify that there exist non-trivial functions 
with a large fraction of their Fourier spectrum equal to zero, so the issue discussed above 
applies. 

It is easy to construct degenerate functions with the desired property. For example, if a 
function is shift-invariant, i.e., f{x + s) — f{x) for some s E Z2 , then at least half of the 
Fourier spectrum of / is guaranteed to be zero. The same also happens if f{x + s) — f{x) + 1 
(see Lemma 24 in Sect. D.l). However, such examples are not interesting, since a shift- 
invariant n-argument Boolean function is equivalent to an (n — l)-argument Boolean function 
(see Sect. D.l for more details). 

Instead, we consider Boolean functions defined using decision trees. A decision tree is a 
binary tree whose vertices are labeled by arguments of / and whose leaves contain the values 
of /. An example of such tree and the rules for evaluating the corresponding function are 
given in Fig. 2. 

Without loss of generality, we can consider only decision trees where on each path from 
the root to a leaf no argument appears more than once (otherwise some parts of the tree 
would not be reachable) . The length of a longest path from the root to a leaf is the height of 
the tree. If a Boolean function is defined by a decision tree of height h, then all its Fourier 
coefficients with Hamming weight larger than h are zero (see Lemma 25 in Sect. D.2). This 
observation can be used to construct non-degenerate Boolean functions with almost vanishing 
Fourier spectrum. 

► Example. The 10-argument Boolean function /lo whose decision tree is shown in Fig. 2 
has no shift invariance, yet 928 (out of 2^° = 1024) of its Fourier coefficients are zero. 

5.3 The t-fold Fourier spectrum as t increases 

Let us now show how to deal with the zero Fourier coefficients. The main idea stems from 
the following observation: if St '■= {w E'L'^'- ^^{w) ^ 0} then St+i = St + Si (see Prop. 26 
in Sect. D.3). If Si spans Zj, we can apply this recursively and eliminate all zeroes from 
the t-fold Fourier spectrum F^ . In particular, it suffices to take t < n (see Lemma 27 in 
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M Figure 2 Decision tree for a 10-argument Boolean function /lo. To compute the value of the 
function for given input xi, . . . , a;io £ Z2 , proceed down the tree starting from the root; move left 
if the corresponding argument is equal to or right if it is equal to 1. Once a leaf is reached, its 
label is the value of the function for the given input. For example, fio{xi, . . . , a;io) evaluates to zero 
when a;2 = a;i = a;5 = a;4 = a;io = 0, since the leftmost leaf has label zero. This tree has height five. 



Sect. D.3). For example, for /lo the fraction of non-zero values of J^* for t - 
0.61, 0.94, 1, respectively. In particular, J^^ is non-zero everywhere. 



1,2,3,4 is 0.09, 



5.4 Quantum rejection sampling with t-fold queries 

We can use quantum rejection sampling with t queries in parallel to solve the BHSP. Suppose 
we transform the i-fold Fourier state |<I>'(s)) from Eq. (8) into the PGM basis vector \Es) 
defined in Eq. (15) using QRS. This corresponds to setting tt^, — F*'{w) and a^j = l/\/2". 
Since the circuit from Fig. 1 can be used to prepare |$*(s)) with t queries. Theorem 16 
still holds if 1-^(^)1 is replaced by J^*{w) and the query complexity is multiplied by t. This 
observation together with Lemma 27 implies that as long as / is not shift invariant, we 
can recover the hidden shift s with success probability arbitrarily close to 1 using quantum 
rejection sampling with some t < n. 

► Theorem 17. Let /: Zj — > Z2 &e a Boolean function and let p be sufficiently large. 
Then BHSP/ can be solved with success probability p using 0(t/\\e^^„\\) queries for some 
i e {1, . . . ,n} where tt^ :— F^{w), a^ '■= 1/a/2", and the "water-filling'' vector £^^0- '= '^'^ 
is defined in [27]. 



6 Conclusions 



A comparison of quantum query complexity bounds for solving the BHSP for different 
classes of functions is given in Table 1. If the QRS algorithm works for random functions 
with 0(1) queries, then it is optimal up to constant factors in all three cases listed in the 
table. However, from Sect. 5.1 we know that the basic QRS algorithm without amplification 
performs poorly when / has many zero Fourier coefficients (which is the case, e.g., for the 
decision trees considered in Sect. D.2). This suggests that the basic (unamplified) QRS 
algorithm is likely not optimal in general. 

The "Simon"-type approach due to [30] always has an overhead of a factor 0{n), reflecting 
the fact that at least n linearly independent equations are needed to solve a linear system 
in n variables. (Note that this approach works in the weaker model where the unshifted 
function is given by an oracle, so it still provides an upper bound when the function is known 
explicitly.) The learniirg theory approach [37] also has logarithmic overhead. Finally, the 
PGM approach performs very well in the easy cases, the bent and random functions, but 
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Approach 


Functions 




Comments 


delta 


bent 


random 


PGM 


0(2") 


1 


2 


zero error 


QRS [27] 


0{y^) 


1 


? 




"Simon" [30] 


0{nV2") 


0{n) 


0{n) 


zero error, black-box / okay 


Learning theory [37] 


0(n log nV2") 


O(nlogn) 


O(nlogn) 


optimal up to log factors V / 


Lower bounds: 


n{V2") 


1 


1 





I Table 1 Summary of quantum query complexity upper and lower bounds for BHSP. We do not 
know the query complexity of the QRS algorithm for random functions. 



fails to provide any speedup for delta functions. As mentioned in Sect. 4.3.1, this can be 
attributed to the fact that Grover's algorithm is intrinsically sequential. 

In summary, none of the algorithms listed in Table 1 is optimal. However, by combining 
these algorithms and possibly adding some new ideas, one might obtain an algorithm that 
is optimal for all Boolean functions. In particular, the QRS approach with <-fold queries 
appears promising. 

We conclude by mentioning some open questions regarding the Boolean hidden shift 
problem: 

1. Find a query-optimal quantum algorithm for general functions (recall that the learning 
theory algorithm is only optimal up to logarithmic factors [36, 37]). 

2. Identify natural classes of Boolean functions lying between the two extreme cases of bent 
and delta functions (say, the decision trees considered in Sect. D.2) and characterize the 
quantum query complexity of the BHSP for these functions. 

3. Determine the number of queries required by the QRS algorithm for random functions. 

4. What is the query complexity of verifying a given shift? (A quantum procedure with 
one-sided error, based on the swap test, was given in [27].) 

5. What is the quantum query complexity of extracting one bit of information about the 
hidden shift? 

6. What is the classical query complexity of the Boolean hidden shift problem? 

7. Can we say anything non-trivial about the time complexity of the Boolean hidden shift 
problem, either classically or quantumly? 

8. Can the BHSP for random functions be solved with a single query? Our approach 
based on the PGM only gives a lower bound on the expected success probability that 
approaches 2/tt for large n (see Theorem 19), whereas we require a success probability 
that approaches 1 as n — ^ c». It might be fruitful to consider querying the oracle with 
non- uniform amplitudes. 

Finally, it might be interesting to consider the generalization of the Boolean hidden shift 
problem to the case of functions / : ZJJ — > Z^. 
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A Converse for bent functions 

The goal of this appendix is to prove Theorem 8. First we need an alternative characterization 
of bent functions. 

► Proposition 18. A Boolean function / is bent if and only if {F * F){x) = S^^q. 
Proof. If {F * F){x) = Sxfi, then using identities from Sect. 2, we find 

F^H = J=iF7F){w) = ^ E i-^r-'iF * F){x) = ^ (21) 

SO / is bent. Conversely, if / is bent then 

{F.F){w)^V2^T\w)^ E (-1)— /'^(a;) = ^ (^l)--l = <5,^_o (22) 

and the result follows. -4 

► Theorem 8. Let f : Zj — >■ Z2 be a Boolean function with n >2. A quantum algorithm can 
solve BHSP/ exactly with a single query to Of^ if and only if f is bent. 

Proof. The most general one-query algorithm for solving BHSP/ using a controlled phase 
oracle (or equivalently, an oracle that computes the function in a register) performs a query 
on some superposition of all binary strings x S Z2 and an extra symbol "0" that allows for 
the possibihty of not querying the oracle. Without loss of generality, the initial state is 



a0\ 



E "-1^) (23) 



xei 



|2 



for some amplitudes a0 £ C and a^; € C for x G Z2 such that \a0\ + X^ajsZ"!*^^! ~ ^' "^^^ 
oracle acts trivially on |0), so the state after the query is 

10,) := a0\0) + E ax(-l)^("+^'|x) (24) 

where s G 1^2 is the hidden shift. For an exact algorithm, we must have 

Vs ^ s' : = (0,10,0 = la^f + ^ |a.|'(-l)^("+^)+^("+^''. (25) 

We can describe Eq. (25) as a linear system of equations. Define p0 '■— [0:0 1 and let 
p be a sub-normalized probability distribution on Zj defined by Px '■— l^xP- Let M be a 
rectangular matrix with rows labeled by elements of A := {{s, s') e Z2 x Z2 : s 7^ s'} and 
columns labeled by x G Zj, with entries 

M,,;^ := (_i)/(^+^)+/(:^+'*'). (26) 

Then Eq. (25) is equivalent to 

Mp = -p0U (27) 

where u is the all-ones vector indexed by elements of A. In other words, there exists an exact 
one-query quantum algorithm for solving BHSP/ if and only if Eq. (27) holds for some P0 
and p that together form a probability distribution on {0} U Z2 . 



i 

On 






1 

2^ 




.i)/(^ 


•+s) + f{x+s') 


1 
9^ 


>;(- 


_i)/(^ 


,)+f{x+s+s') 
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If / is bent, there is an exact one-query quantum algorithm corresponding to p0 = and 
p — H, the uniform distribution (i.e., fi^ '■= 1/2" for all x E Z2). Notice that the entries of 
the vector Mfi are 

(M/i),,, = 4 y^ ^-;- (28) 

(29) 

(30) 

^{F*F){s + s'). (31) 

Prop. 18 impHes that {F * F){x) = S^^q, so {Mp)ss' = for all s ^ s' . Since p0 = 0, Eq. (27) 
holds and the algorithm is exact. 

To prove the converse, assume there is an exact one-query quantum algorithm that solves 
BHSP/. Then Eq. (27) holds for some P0 and p that form a probability distribution on 
{0}UZ'l 

First, we claim that without loss of generality, the probabilities Px can be set equal for 
all X e Z2 . More precisely, we set p '■= {1 — P0)fJ, and show that Eq. (27) still holds if we 
replace p by p. Note that 1 — p0 — X^yeZ" Px+y for any a; G Z^, so 

{Mp)ss' = ^ I] M,,,x (1 - P0) (32) 

= ^ E (-i)^(^+^)+^(^+^') Yl P^+y (33) 

= ^ E E (-l)^(-+'^+^)+^(-+^+^'V. (34) 

= ^ E E ^hv+s,y+s'),xPx (35) 

= ^ E (^'^P)iv+s.v+s') (36) 



= -P0 (37) 

where the last equality follows since p is a solution of Eq. (27). We conclude that p is also a 
solution of Eq. (27), i.e., 

(1 - p0)MfJ. = ~P0U. (38) 

Recall from Eqs. (28) to (31) that {M^i)ss' = (F*F)(s-f s'), which together with Eq. (38) 
implies that (1 — P0){F * F){s + s') = ~p0 for all s 7^ s' . Clearly, there is no solution with 
P0 = 1. Thus we have 

{F*F){w) = ^^<0 (39) 

1 -P0 

for any w ^ 0. Observe that {F * F){w) = X^^ez" ■^{—^)-^^^^^^^^'^^^ is an integer multiple 
of 1/2" and {F * F){0) — 1 for any /. Thus, we can rewrite Eq. (39) as 

s. s fl ifw = 0, 

{F*F){w)^{ (40) 

I — fc/2" otherwise 
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for some integer fc > 0. Therefore 



J2{F^F){w) = l- 



1. 



On the other hand, 
J2{F.F){w) 






luez" xe 



/(a;)+/(i;+«)) 



n 2 



a;^Zo 



E(i-2/(^)) 



= ^(2"-2|/|)^ 

Putting this together with Eq. (41) gives 
(2"-2|/|)^=2"-(2"-l)A:. 



(41) 

(42) 

(43) 

(44) 
(45) 

(46) 



This equation has no solutions for fc > 2 since the right-hand side is negative (for n > 2). 
Similarly, there are no solutions for k — I since the left-hand side is even and the right-hand 
side is odd. Therefore k = (and hence p0 = 0), which implies that / is bent by Eq. (40) 
and Prop. 18. M 

Note that there is a solution to Eq. (46) with fc = 2 and n ~ 1, provided |/| = 1. This 
trivial case involves the one-argument Boolean functions f{x) = x and f{x) — NOT(x). For 
these functions which we can choose p^i = 1/2 and po = pi = 1/4 to determine the hidden 
shift exactly with one query. A deterministic classical algorithm can also solve BHSP/ with 
one query for these functions. 

B Success probability of one-query PGM for random functions 

In this appendix, we show that for one query, the expected success probability of PGM(/, 1) 
approaches a constant less than 1 for large n. This suggests that one query might not be 
enough to solve the problem with success probability arbitrarily close to 1. However, we do 
not know if the PGM algorithm has optimal success probability in the one-query case. 

► Theorem 19. Let f be an n-argument Boolean function chosen uniformly at random and 
suppose that a hidden shift for f is chosen adversarially. Then PGM(/, 1) solves BHSP/ 
with one query to O f\. and expected success probability p > 1/2 over the choice of f . Indeed, 
p > 2/tt — o(l) as n ^ oo. 

Proof. Recall from Eq. (16) in Lemma 13 that PGM(/, t) recovers the hidden shift of / 
correctly after t queries with success probability pf (t) . If the function / is chosen uniformly 
at random, then the expected success probability after t queries is 



Pit) 






H 



(47) 
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We can obtain a lower bound on p(t) using the Cauchy-Schwarz inequality: 






HU:p(i). 



Taking t — I, this gives 
1 1 



P 



> 



2n (22-12 1^ ^ l^^"^^' 



2n I 22" 



.<^ 2-^ On 2-^ ^ 



w-x-\-f{x) 



x^Zl} 



(48) 



(49) 



(50) 



For each w we can define /'(x) := w ■ x + fix) and change the order of summation by 
summing over /' instead of /. The value of this sum does not depend on w, so we get 

2 

_ L(2")2 



p^^f^E 



E (-1)'^^ 



x& 



2" 



where 

L{N) 



- y 



2N 



^£{1,-1}' 



AT 

E- 



(51) 



(52) 



is the expected distance traveled by N steps of a random walk on a line (where each step is 
of size one and is to the left or the right with equal probability) . It remains to lower bound 
LiN). 

Let N — 2m for some integer m > 1. Using standard identities for sums of binomial 
coefficients, we compute 






fe=0 



2to 
k 



1 /2m 

— — ■2m{ 
22™ V m 



Since the central binomial coefficient satisfies [50, p. 
2m\ 4" 
m J V4to 
we find 

L(2m) > \fm. 



(53) 
(54) 

(55) 

(56) 

For TV = 2" this gives L(2") > ^2"/2. We plug this in Eq. (51) and get p > 1/2. 
In fact, according to Stirling's formula (^™) ~ 4'"/-y/7rm as m — > oo. This means that 
L(N) ^ ^J2N/'K as iV — >■ oo and our lower bound on p approaches 2/7r as n — >■ oo. < 

C Two queries suffice for random functions 

In this appendix we prove the following: 

► Theorem 15. Let f be an n-argument Boolean function chosen uniformly at random and 
suppose that a hidden shift for f is chosen adversarially. Then PGM(/, 2) solves BHSP/ 
with expected success probability p > 1 — A • 2~". 
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C.l Strategy 

Our goal is lower bound p{t), as defined in Eq. (48). Let us define a random variable X over 
Boolean functions /: Zj — >■ Z2 and binary strings w G Zj, whose value is 

X := [T\w)]'' ^ [fX\w), (57) 

where / and w are chosen uniformly at random. Notice from Eq. (48) that 

p{t) = 2" {E[VX])\ (58) 

Clearly, for any a; > we have 

E[\/X] > ^ Ft{X > x). (59) 

Our strategy is to use a one-sided version of Chebyshev's inequality, known as Cantelli's 
inequality, to lower-bound Pr(X > x), and then choose a value of x that maximizes our lower 
bound on p{t). 

► Fact (Cantelli's inequality). Let /i := K[X] and a^ '■— E[X'^] — /i^ be the mean and variance 
of X, respectively. Then Pr{X — /i > ka) > -^ A,2 . 

Alternatively, if we substitute X by —X and reverse the inequality then 
Pr(X>A*-fca)>^A_. (60) 

If we substitute x '■= fi — ka in Eq. (59), then according to the above inequality, 

E[Vx]>^f,-ka^^. (61) 

Using Eq. (48), Eq. (58), and Eq. (61) gives 

p(i)>p(t) = 2"(E[Vx])'>2"(/i-M(l + ^) • (62) 

It remains to lower bound ^ (Sect. C.2), upper bound a (Sect. C.3), and make a reasonable 
choice of the deviation parameter k (Sect. C.4). 

C.2 Computing the mean 

Let us compute the mean 

M-Em=2^E^E[^T*H (63) 

for any integer t > 1. Notice that 

Y^[fX\w)= E F{y,r---F{yt-,rF{w-{y^ + --- + yt-i)y (64) 

E F{y,r---F{y,^,rF{ytr (65) 

yi,...,ytel.^ 

= (E^(2^)') (66) 

= 1 (67) 
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by unitarity of the Fourier transform (see Plancherel's identity in Sect. 2). We conclude that 

M=^ (68) 

independent of t. 

C.3 Computing the variance 

Next we compute the variance 

E[^^]-^E^E([^T*H)'- (69) 

/ toSZJ 



Note that from Eq. (2) and Plancherel identity we have 

I — ^ (^'^^ 

We substitute this in Eq. (69) and get 

"*H) (71) 



E([^']"(-))'= E (i(^^^)*(-)) -^ E(^*^)"(-)- 



iE[^']-2tE^f^E(^*^) 

= — V — V (^- V (-1)^^" 
22n A^ 2^" ^-^\ 2" ^—^ 



X 2t 

)+f(w+x)\ 



(72) 



C.3.1 Counting pairings 

Let us introduce some combinatorial ideas that will help us to evaluate the sum in Eq. (72). 

► Definition 20. Let 5* be a finite set and let Z > 1 be an integer. We say that ai, 02, . . . , 02; G 
S are paired if there exists a permutation n of {1, 2, . . . , 21} such that 07^(22-1) — o-!T{2i) for 
all i G {1, 2, . . . , /}. Define A : S'^' ^ Z2 as 

fl if ai, 02,..., a2i are paired, 
A(ai,a2,... ,a2ij := < (73) 

10 otherwise. 

Notice that for Z = 2 we have A(a, 6, c, d) — 5a.b5c,d + '5a,c'^fc,d + Sa^d^b.c ~ '^5a,b.c,d, so the 
number of ways to pair four elements of 5* is 

Y, Ma,b,c,d) = 3 Y. ^-^bSc,d - 2 Y ^-'b,cA = 3\Sf~2\S\. (74) 

a,b,c,d£S a,b^c,d^S a,b.c,d£S 

► Proposition 21. Let 5' = {0, 1}"". Then for any ai, 02, ■ ■ ■ , 0^2/ ^ 5", 

_L^(„l)/(ai)+/(a.)+...+/(a.,) ^ A(ai,a2,...,a20 (75) 

/ 

where the sum is over all Boolean functions / : Zj ^- Z2 . 

Proof. Clearly, if oi, 02, . . . , 02; are paired, then the exponent of —1 is even and the sum is 
1. Otherwise, we can omit the paired arguments, and all remaining Oi are distinct. Since we 
are averaging over all / and the values that / takes at distinct points are independent, the 
sum vanishes. < 
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We can use this observation to rewrite Eq. (72) as follows: 

^X'^] = 22(t+i)" ^ 51 A{ai,ai + w,a2,a2 + w,...,a2i,a2i+w). (76) 

C.3.2 Evaluating the variance at t = 2 

In general, the variance depends on t. However, we are interested only in the t — 2 case, so 
from now on we will assume that i = 2 and do not write the dependence on t explicitly. For 
t = 2, Eq. (76) reads 

1^[^'] = ^II J2 Ma,a + w,b,b + w,c,c + w,d,d + w). (77) 

We consider two cases. First, when w ~ 0, the eight arguments of A are always paired, 
so the inner sum in Eq. (77) evaluates to 

Y^ A{a,a,b,b,c,c,d,d) = 2'^". (78) 

Now suppose w =/= 0. Then Wi = 1 for some i G {1, . . . , n} and thus either a,; = or 
Ui + Wi — (and similarly for b, c, and d). In total there are 2^ — 16 cases. Since A is 
invariant under permutations of arguments, we can substitute a by a + w, which effectively 
swaps the arguments a and a + w. By performing a similar operation for b, c, and d, we can 
ensure that a^ = bi = Ci = di = 0. Among the eight arguments of A in Eq. (77), arguments 
a, b, c, and d can be paired only among themselves since Wi — 1. Moreover, once a and b 
are paired, then so are a + w and b + w. Thus, we can restrict the ith bit of w to be 1 and 
ignore the four extra arguments of A. Then the inner sum in Eq. (77) becomes 

16 Y^ A(a,6,c,d) = 16- (3-22"-2_2.2"-i) = 12-22"-16-2", (79) 

where the first equality follows from Eq. (74) with S = Zj^^. 

By combining Eq. (78) and Eq. (79), we can rewrite Eq. (77) as 

E[X^] = ^ (2'*" + (2" - 1) • (12 • 2^" - 16 • 2") j (80) 



_ 1 12 28 16 

2^" 2'^" 2*" 2^" ' 

Using the value of /i from Eq. (68) , we see that for 71 > 1 the variance is 



(81) 



<^' = nx^]-,^^^-^ + ^^>^. (82) 

C.4 Choosing the deviation 

To complete the lower bound on the success probability, recall from Eq. (62) that 



<-p) 



p>2^{^l-ka)il + ^] . (83) 

Substituting the bounds on fi and a from Eq. (68) and Eq. (82), respectively, gives 



P>(l-^^)(1 + Z2) ■ (84) 



fc2 
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-2 



Notice that (l + p^) > 1 — p^ for any k, so 



2 \ fc 2 

/2" / V ' k^ J ~ \/2" fc2 



p->(i-^)(i-t:2 >i-:7!^-r2- (85) 



It remains to make a good choice for k. Let a — \/2" and k = a'^ for some c > 0. Then 
p > 1 - a''-^ - 2a"2c^ (gg) 

Choosing c = 1/3 (i.e., A; — 2"/^) gives 

P > 1 - ^ • 2-". (87) 

This concludes the proof of Theorem 15. 

D Zeroes in the Fourier spectrum 
D.l Undetectable shifts and anti-shifts 

In some cases the Boolean hidden shift problem cannot be solved exactly in principle. For 
example, if the function / is invariant under some shift, then the hidden shift cannot be 
uniquely determined, as the oracle does not contain enough information (an extreme case of 
this is a constant function which is invariant under all shifts) . In this section we consider 
such degenerate functions and analyze their Fourier spectra. 

► Definition 22. Let 6 £ Z2. We say that s is a b-shift for a function /: I/2 -^ ^2 if / has 
the following property: Va; G Z2 : j{x + s) — f{x) + b. We refer to 0-shifts as undetectable 
shifts since they cannot be distinguished from the trivial shift s = 0. We also refer to 1-shifts 
as anti-shifts since they negate the truth table of /. 

The following result provides an alternative characterization of 6-shifts. It relates the 
maximal and minimal autocorrelation value of F to undetectable shifts and anti-shifts of /, 
respectively (see Definition 5 for the definition of convolution) . 

► Proposition 23. The string s e Zj is a 6-shift for function /: Z2 — > Z2 if and only if 

{F * F){s) = (-l)^ where F{x) := (-l)-''(^)/v^ for ah x e Z^'. 

Proof. Let s be a 6-shift of /. Then 

(F * F)(s) = Y^ F{x)F{x -t- s) (88) 

= ^ E (-l)'^^n-l)^(^^+'' (89) 

= (-!)"■ (91) 



For the converse, note that all terms on the right-hand side of Eq. (88) have absolute value 
equal to 1/2". In total there are 2" terms, so \{F * -F')(s)| < 1. If this bound is saturated, 
then all terms in Eq. (88) must have the same phase. Thus, s is a &-shift for some 6 G Z2. < 
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If s' and s" are undetectable shifts of / then so is s' + s", since f{x + s' + s") — f{x + s') — 
f{x) for any x. Hence the set of all undetectable shifts forms a linear subspace of Zj . Also, 
if a' and a" are anti-shifts, then a' + a" is an undetectable shift. In particular, a Boolean 
function with no undetectable shifts can have at most one anti-shift. 

If we want to solve the hidden shift problem for a function / that has an undetectable 
shift s, we can apply an invertible linear transformation A on the input variables such that 
A • ... 01 = .s. Thus we simulate the oracle for the function f'{x) '■— f {A ■ x) such that 
f'{x + Q . . . 01) — f'{x). Notice that /' is effectively an (n — l)-argument function, since 
it does not depend on the last argument. Similarly, if / has a fc-dimensional subspace of 
undetectable shifts, it is effectively an {n — fc)-argument function. Solving the hidden shift 
problem for such a function is equivalent to solving it for the reduced (n — fc)-argument 
function /' and picking arbitrary values for the remaining k arguments. In this sense. Boolean 
functions with undetectable shifts are degenerate and we can consider only functions with no 
undetectable shifts without loss of generality. 

Similarly, if / has an anti-shift, we can use the same construction to show that it is 
equivalent to a function /' such that /'(xi, . . . , x„_i, x„) = f"{xi, . . . , Xn-i) ffi Xn where /" 
is an (n — l)-argument function. To solve the hidden shift problem for /', we first solve it for 
/" and then learn the value of the remaining argument a;„ via a single query. In this sense. 
Boolean functions with anti-shifts are also degenerate. Thus, without loss of generality we 
can consider the hidden shift problem only for non-degenerate functions, i.e., ones that have 
no 5-shifts for any 6 G Z2. 

Finally, let us show that Boolean functions with ^-shifts have at least half of their Fourier 
coefficients equal to zero. Let S be an {n — l)-dimensional subspace of Z2 , and let us denote 
the two cosets of S in Zj by Sb '■= S + br, where 6 € Z2 and r G Z2 \ 5 is any representative 
of the coset for 6=1. The following result relates the property of having a 6-shift to the 
property of having zero Fourier coefficients with special structure. 

► Lemma 24. A function f : Zj — > Z2 has a non-zero b-shift if and only if there is an 
{n — 1)- dimensional subspace S C Z2 such that F{w) = when w ^ Sf,- 

Proof. Assume that s is a 6-shift of /. Then 

H^) - ^ E (-l)'-^+^(^^ (92) 

_ J_ y^ l'^\w(x + s) + f(x + s) /ggN 

X<^7j2 
_ J_ y^ f_Y\W-(x + s) + f(x)+b /g^-j 

= (-1)'"'"+''^ E (-l)"""+^("^ (95) 

= {-l)'^-''+^F{w). (96) 



Thus, F{w) — when w ■ s ^ b. Let S be the (n — l)-dimensional subspace of Zj orthogonal 
to s. Then wGSb'^w-s — b and thus F{w) = when w ^ Sb- 

For the converse, assume that S is an (n — l)-dimensional subspace of Z2 and F{w) = 
when w ^ Sb- Let s € Z2 be the unique non-zero vector orthogonal to S- Then Sb = 
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{w : w ■ s — b} and we have 



F{x + s) = F{x + s) (97) 

= 4^ E (-1)^^+^^""^H (98) 






= 4^ E (-1)^^+^^""^H (99) 

= (-i)''4^ E (-i)"-"'^(^) (100) 

wectb 

= i-ifn^)- (101) 

Hence f{x + s) — f{x) + b and thus s is a 6-shift of /. A 

D.2 Decision trees 

In the previous section we discussed degenerate cases of Boolean functions that have many 
zero Fourier coefficients. In this section we explain how to construct non-degenerate examples. 

► Lemma 25. /// is a Boolean function defined by a decision tree of height h then F(w) — 
when \w\ > h. 

Proof. Since the Boolean function / is given by a decision tree, let {Pi, . . . , P,„} be the set 
of all paths that start at the root of this tree and end at a parent of a leaf labeled by 1. 
For example. Pi = {x2,a;i,a;5,a:4,a;io} and P2 = {x2,xt,Xi\ are two such paths for the tree 
shown in Fig. 2. We can write the disjunctive normal form of / as 

f{x) = \J f\{bf®x,) (102) 

where "V" and "A" represent logical OR and AND functions, respectively, and 6^ € Z2 
is equal to 1 if and only if variable Xj has to be negated on path P^. For example, Xiq is 
negated on Pi, and X2 and x^ are negated on P2. 

To prove the desired result about the Fourier coefficients of /, we switch from Boolean 
functions to (±l)-valued functions with (±l)-valued variables. In particular, we replace 
/: Z2 — J> Z2 by a function F: {1,-1}" — ?> {1,-1} in variables Xi e {1,-1} such that 

^((-1)") - (-1)^^"' (103) 

for all a; e ZJ. 

Notice that the (±l)-valued versions of logical NOT, AND, and OR functions are given 
by the following polynomials: 

NOT(A) := -X, (104) 

AND(Xi,...,Afc):= 1-2]^^^, (105) 

0R(Xi,...,Afc):=-l-2n^^. (106) 
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We can use these polynomials and Eq. (102) to write F as 

F{X) = ORfii AND^eP,(-l)''^"Xj, (107) 

where OR^j^ Xi stands for OR(Xi, . . . , Xm) and a similar convention is used for AND. 

When we determine the value of / using a decision tree, each input x e Zj leads to 
a unique leaf of the tree. Thus, when f{x) — 1, there is a unique value of i in Eq. (102) 
for which the corresponding term in the disjunction is satisfied. With this promise we can 
simplify Eq. (106) to 

k 
OR(Xi,...,Xfc):=^(X,-l) + l. (108) 

1=1 

If we use this in Eq. (107), we get 

m 

F{X) = ^(AND,ep,(-l)^5* X, - l) + 1, (109) 



i=l 



1 - (-1)^- X, 



*=i jePi 

Notice that this polynomial has degree at most max^jPil < h, the height of the tree. On the 
other hand, the Fourier transform is self-inverse (see Sect. 2), so 

(-l)/(^) = V2^F(a;) =: %/2^F(a;) = ^ (-l)^-"'i^(w). (Ill) 

The (±l)-valued equivalent of this equation is 

F{X) = J2 FM n ^- (112) 

w^Z!^ i : Wi—1 

By comparing this with Eq. (110) we conclude that F{w) = when \w\ > h. -4 

According to this lemma, we can use the following strategy to construct Boolean functions 
with a large fraction of their Fourier coefficients equal to zero. We pick a random decision 
tree with many variables but small height, i.e., large n and small h (notice that n < 2'' — 1). 
Then we are guaranteed that the fraction of non-zero Fourier coefficients does not exceed 

^EJ^^^=Ur (113) 



2" ^^ Vfcy ~ 2" V 2" 

k=Q ^ ^ ^ - 

where H{p) := — plogj p — (1 — p) log2(l — p) is the binary entropy function. In particular, if 
h ^ log2 n then this fraction vanishes as n goes to infinity, i.e., F is zero almost everywhere. 
However, notice that when the number of zero Fourier coefficients is large, it is also 
more likely to pick a degenerate Boolean function (i.e., one that has a 5-shift for some 
b € Z2); we would like to avoid this. Recall from Lemma 24 that / has a fe-shift only if all its 
non-zero Fourier coefficients lie in a coset Sb of some {n — l)-dimensional subspace S C 1^2- 
Unfortunately, we do not know the probability that a random decision tree with n variables 
and height log2 n corresponds to a Boolean function with this property. 
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D.3 Zeroes in the t-fold Fourier spectrum 

In this section we study the fraction of zeroes in the i-fold Fourier spectrum F^ of / as 
a function of t. The main observation is Lemma 27, which shows that unless / has an 
undetectable shift, J^* becomes non-zero everywhere when t is sufficiently large. This means 
that even for functions with a high density of zeroes in the Fourier spectrum, one can 
boost the success probability of the basic quantum rejection sampling approach discussed in 
Sect. 5.1 by using the t-fold generalization from Sect. 5.4. 

► Proposition 26. Let St '■— {w e Z2 : J-*'{w) ^ 0} be the set of strings for which J^* is 
non-zero. Then St+i ^ St + Si where A + B := {a + h: a e A,h e B}. 

Proof. Note that [J^*+^]^= [^*T * [^^T from Definition 6. Also, F\w) > for any i > 1 
and w e 1^2- Assume that wq G St and wi E Si. Then J^*(wo) > and J^^(wi) > 0, so 



[j-*+i] \wo + wi)^J2 [^'] "(^) ■ [^Ti^o + WI-X) (114) 

> [T']\wo)- [T']\wo + wi~wo)>0. (115) 



Thus wq + wi €z St+i and hence St + Si ^ fSf+i. Conversely, if w cannot be written in the 
form wq + wi for some wq G St and wi € Si then J-^^^{'w) = 0, since all terms of the sum in 
Eq. (114) vanish. A 

► Lemma 27. ///: Z2 — > Z2 does not have an undetectable shift, then there exists t e 
{1, . . . , ?i} such that J-"* is non-zero everywhere. 

Proof. If Si spans the whole space Zj , we can inductively apply Prop. 26 to conclude that 
St = Z2 for some sufficiently large t. In particular, it suffices to take t < n (say, if Si is the 
standard basis). On the other hand, if 5*1 spans only a proper subspace of Zj, then it is 
contained in some (n — l)-dimensional subspace So- Since J"^ — \F\ vanishes outside of So, 
we conclude by Lemma 24 that / has an undetectable shift. -4 

References 



Andrew M. Childs and Wim van Dam. Quantum algorithms for algebraic problems. Rev. 
Mod. Phys., 82(l):l-52, Jan 2010. arXiv: 0812. 0380, doi : 10. 1103/RevModPhys.82. 1. 
David Deutsch and Richard Jozsa. Rapid solution of problems by quantum computation. 
Proceedings of the Royal Society of London. Series A: Mathematical and Physical Sciences, 
439(1907):553-558, 1992. doi: 10. 1098/rspa. 1992. 0167. 

Daniel R. Simon. On the power of quantum computation. In Proceedings of the 35th Annual 
Symposium on Foundations of Computer Science (FOCS 1994), pages 116-123, Nov 1994. 
doi : 10 . 1109/SFCS . 1994 . 365701. 

Peter W. Shor. Polynomial-time algorithms for prime factorization and discrete loga- 
rithms on a quantum computer. SIAM Journal on Computing, 26(5):1484-1509, 1997. 
Earlier version in FOCS 1994, pp. 124-134. arXiv:quant-ph/9508027, doi: 10. 1137/ 
S0097539795293172. 

Alexei Kitaev. Quantum measurements and the Abelian Stabilizer Problem. 1995. arXiv: 
quant-ph/9511026. 

Richard Jozsa. Quantum algorithms and the Fourier transform. Proceedings of the 
Royal Society of London. Series A: Mathematical, Physical and Engineering Sciences, 
454(1969):323-337, 1998. arXiv:quant-ph/9707033, doi : 10. 1098/rspa. 1998.0163. 



A. M. Childs, R. Kothari, M. Ozols, and M. Roetteler 27 



7 Michele Mosca and Artur Ekert. The hidden subgroup problem and eigenvalue esti- 
mation on a quantum computer. In Quantum Computing and Quantum Communica- 
tions, volume 1509 of Lecture Notes in Computer Science, pages 174-188. Springer, 1999. 
arXiv: quant-ph/9903071, doi : 10 . 1007/3-540-49208-9_15. 

8 Richard Jozsa. Quantum factoring, discrete logarithms, and the hidden subgroup problem. 
Computing in Science Engineering, 3(2):34-43, Mar/ Apr 2001. arXiv:quant-ph/0012084, 
doi : 10 . 1109/5992 . 909000. 

9 Sean Hallgren. Polynomial-time quantum algorithms for Pell's equation and the principal 
ideal problem. Journal of the ACM, 54(1):4:1-4:19, Mar 2007. doi : 10. 1145/1206035. 
1206039. 

10 Dan Boneh and Richard Lipton. Quantum cryptanalysis of hidden linear functions. In 
Advances in Cryptology - CRYPTO 1995, volume 963 of Lecture Notes in Computer Science, 
pages 424-437. Springer, 1995. doi: 10. 1007/3-540-44750-4_34. 

11 Robert Beals. Quantum computation of Fourier transforms over symmetric groups. In 
Proceedings of the 29th Annual ACM Symposium on Theory of Computing (STOC 1997), 
pages 48-53. ACM, 1997. doi: 10. 1145/258533.258548. 

12 Peter H0yer. Efficient quantum transforms. 1997. arXiv:quant-ph/9702028. 

13 Mark Ettinger and Peter H0yer. A quantum observable for the graph isomorphism problem. 
1999. arXiv:quant-ph/9901029. 

14 Oded Regev. Quantum computation and lattice problems. SIAM Journal on Computing, 
33(3):738-760, 2004. arXiv:cs/0304005, doi : 10. 1137/S0097539703440678. 

15 Greg Kuperberg. A subexponential-time quantum algorithm for the dihedral hidden sub- 
group problem. SIAM Journal on Computing, 35(1):170-188, 2005. arXiv:quant-ph/ 
0302112, doi : 10 . 1137/S0097539703436345. 

16 Oded Regev. A subexponential time algorithm for the dihedral hidden subgroup problem 
with polynomial space. 2004. arXiv:quant-ph/0406151. 

17 Greg Kuperberg. Another subexponential-time quantum algorithm for the dihedral hidden 
subgroup problem. 2011. arXiv: 1112.3333. 

18 Andrew M. Childs, David Jao, and Vladimir Soukharev. Constructing elliptic curve isoge- 
nics in quantum subexponential time. 2010. arXiv: 1012.4019. 

19 Mark Ettinger and Peter H0yer. On quantum algorithms for noncommutative hidden 
subgroups. Advances in Applied Mathematics, 25(3):239-251, 2000. arXiv:quant-ph/ 
9807029, doi : 10 . 1006/aaina . 2000 . 0699. 

20 Wim van Dam, Sean Hallgren, and Lawrence Ip. Quantum algorithms for some hidden shift 
problems. SIAM Journal on Computing, 36(3):763-778, 2006. arXiv:quant-ph/0211140, 
doi : 10 . 1137/S009753970343141X. 

21 Katalin Friedl, Gabor Ivanyos, Frederic Magniez, Miklos Santha, and Pranab Sen. Hidden 
translation and orbit coset in quantum computing. In Proceedings of the 35th Annual 
ACM Symposium on Theory of Computing (STOC 2003), pages 1-9. ACM, 2002. arXiv: 
quant-ph/0211091, doi : 10 .1145/780542 . 780544. 

22 Cristopher Moore, Daniel Rockmore, Alexander Russell, and Leonard J. Schulman. The 
power of strong Fourier sampling: Quantum algorithms for affine groups and hidden shifts. 
SIAM Journal on Computing, 37(3):938-958, Jun 2007. arXiv:quant-ph/0503095, doi: 
10. 1137/S0097539705447177. 

23 Andrew M. Childs and Pawel Wocjan. On the quantum hardness of solving isomor- 
phism problems as nonabelian hidden shift problems. Quantum Information and Computa- 
tion, 7(5):504-521, Jul 2007. URL: http://www.rintonpress.com/journals/qiconline. 
html#v7n56, arXiv:quant-ph/0510185. 

24 Andrew M. Childs and Wim van Dam. Quantum algorithm for a generalized hidden 
shift problem. In Proceedings of the 18th ACM-SIAM Symposium on Discrete Algorithms 



28 Easy and hard functions for the Boolean hidden shift problem 



(SODA 2007), pages 1225-1232. SIAM, 2007. URL: http://dl.acm.org/citation.cfm? 
id=1283383 . 1283515, arXiv : quant-ph/0507190. 

25 Gabor Ivanyos. On solving systems of random linear disequations. Quantum Information 
and Computation, 8(6&7):579-594, 2008. URL: littp://www.rintonpress . com/journals/ 
qiconline . html#v8n67, arXiv: 0704 . 2988. 

26 Ivan B. Damgard. On the randomness of Legendre and Jacobi sequences. In Advances 
in Cryptology - CRYPTO 1988, volume 403 of Lecture Notes in Computer Science, pages 
163-172. Springer, 1990. doi : 10. 1007/0-387-34799-2_13. 

27 Maris Ozols, Martin Roetteler, and Jeremie Roland. Quantum rejection sampling. In 
Proceedings of the 3rd Innovations in Theoretical Computer Science Conference (ITCS 
2012), pages 290-308. ACM, 2012. arXiv: 1103.2774, doi : 10. 1145/2090236.2090261. 

28 Martin Rotteler. Quantum algorithms to solve the hidden shift problem for quadratics and 
for functions of large Gowers norm. In Proceedings of the 34-st International Symposium 
on Mathematical Foundations of Computer Science (MFCS 2009), volume 5734 of Lecture 
Notes in Computer Science, pages 663-674. Springer, 2009. arXiv: 0911 .4724, doi: 10. 
1007/978-3-642-03816-7_56. 

29 Martin Rotteler. Quantum algorithms for highly non-linear Boolean functions. In Pro- 
ceedings of the 21st ACM-SIAM Symposium on Discrete Algorithms (SODA 2010), pages 
448-457. SIAM, 2010. URL: http://dl.acm.org/citation.cfm?id=1873601 .1873638, 
arXiv: 081 1.3208. 

30 Dmitry Gavinsky, Martin Roetteler, and Jeremie Roland. Quantum algorithm for the 
Boolean hidden shift problem. In Computing and Combinatorics, volume 6842 of Lecture 
Notes in Computer Science, pages 158-167. Springer, 2011. arXiv: 1103.3017, doi: 10. 
1007/978-3-642-22685-4_14. 

31 Mirmojtaba Gharibi. The non-injective hidden shift problem. Master's thesis. University of 
Waterloo, Canada, 2011. URL: http://hdl.handle.net/10012/6478, arXiv: 1207.4537. 

32 Lov K. Grover. A fast quantum mechanical algorithm for database search. In Proceedings of 
the 28th Annual ACM Symposium on Theory of Computing (STOC 1996), pages 212-219. 
ACM, 1996. arXiv:quant-ph/9605043, doi: 10. 1145/237814. 237866. 

33 Charles H. Bennett, Ethan Bernstein, Gilles Brassard, and Umesh Vazirani. Strengths and 
weaknesses of quantum computing. SIAM Journal on Computing, 26(5):1510-1523, 1997. 
arXiv:quant-ph/9701001, doi: 10. 1137/S0097539796300933. 

34 Wim van Dam. Quantum algorithms for weighing matrices and quadratic 
residues. Algorithmica, 34(4):413-428, 2008. arXiv:quant-ph/0008059, doi: 10. 1007/ 
S00453-002-0975-4. 

35 Ethan Bernstein and Umesh Vazirani. Quantum complexity theory. SIAM Journal on 
Computing, 26(5):1411-1473, 1997. EarKer version in STOC 1993, pp. 11-20. doi: 10. 
1137/S0097539796300921. 

36 Rocco A. Servedio and Steven J. Gortler. Equivalences and separations between quantum 
and classical learnability. SIAM Journal on Computing, 33(5):1067-1092, 2004. doi: 10. 
1137/S0097539704412910. 

37 Alp Atici and Rocco A. Servedio. Improved bounds on quantum learning algorithms. 
Quantum Information Processing, 4(5):355-386, 2005. arXiv:quant-ph/0411140, doi: 
10.1007/slll28-005-0001-2. 

38 Ronald de Wolf. A brief introduction to Fourier analysis on the Boolean cube. Theory of 
Computing Library - Graduate Surveys, 1:1-20, 2008. doi : 10. 4086/toc .gs .2008.001. 

39 Thomas W. Cusick and Pantelimon Stanica. Cryptographic Boolean Functions and Ap- 
plications. Academic Press/Elsevier, 2009. URL: http : //books .google .ca/books?id= 
QAkhkLSxxxMC&pg=PA73. 



A. M. Childs, R. Kothari, M. Ozols, and M. Roetteler 29 



40 John F. Dillon. A survey of bent functions. The NSA technical journal, pages 191-215, 
1972. 

41 Jessie F. Mac Williams and Neil J. A. Sloane. The theory of error- correcting codes: Part 2. 
North-Holland, 1977. URL: http : //books .google .ca/books?id=nv6WCJgcjxcC&pg= 
PA426. 

42 John F. Dillon. Elementary Hadamard difference sets. In Proceedings of the 6th Southeast- 
ern Conference on Combinatorics, Graph Theory, and Computing, pages 237-249. Utilitas 
Mathematica Pub., 1975. 

43 Hans Dobbertin. Construction of bent functions and balanced Boolean functions with high 
nonlinearity. In Fast Software Encryption, volume 1008 of Lecture Notes in Computer 
Science, pages 61-74. Springer, 1995. doi: 10. 1007/3-540-60590-8_5. 

44 Andris Ambainis, Kazuo Iwama, Akinori Kawachi, Hiroyuki Masuda, Raymond H. Putra, 
and Shigeru Yamashita. Quantum identification of Boolean oracles. In Proceedings of 
the 21st Annual Symposium on Theoretical Aspects of Computer Science (STACS 2004), 
volume 2996 of Lecture Notes in Computer Science, pages 105-116. Springer, 2004. arXiv: 
quant-ph/0403056, doi : 10 . 1007/978-3- 540-24749-4_10. 

45 Michel Boyer, Gilles Brassard, Peter H0yer, and Alain Tapp. Tight bounds on quantum 
searching. Fortschritte der Physik, 46(4-5):493-505, 1998. arXiv:quant-ph/9605034, doi: 
10 . 1002/ (SICI ) 1521-3978 ( 199806) 46 : 4/5<493 : : AID-PR0P493>3 . . CO ; 2-P. 

46 Paul Hausladen and William K. Wootters. A 'pretty good' measurement for distin- 
guishing quantum states. Journal of Modern Optics, 41(12):2385-2390, 1994. doi: 
10. 1080/09500349414552221. 

47 Dave Bacon, Andrew M. Childs, and Wini van Dam. From optimal measurement to efficient 
quantum algorithms for the hidden subgroup problem over semidirect product groups. In 
Proceedings of the 46th Annual Symposium on Foundations of Computer Science (FOCS 
2005), pages 469-478, Oct 2005. arXiv:quant-ph/0504083, doi : 10. 1109/SFCS.2005.38. 

48 Thomas Decker, Jan Draisma, and Pawel Wocjan. Efficient quantum algorithm for iden- 
tifying hidden polynomials. Quantum Lnformation and Computation, 9(3-4) :215-254, 
2009. URL: http://www.rintonpress.eom/journals/qiconline.html#v9n34, arXiv: 
0706.1219. 

49 Christof Zalka. Grover's quantum searching algorithm is optimal. Physical Review A, 
60:2746-2751, 1999. arXiv:quant-ph/9711070, doi : 10. 1103/PhysRevA.60.2746. 

50 Thomas Koshy. Catalan Numbers with Applications. Oxford University Press, 2008. URL: 
http : //books . google . ca/books?id=MqPLSivdBDAC&pg=PA48. 



